Systems and Methods for Determining Reputations of Digital Certificate Signers

1. A computer-implemented method for determining reputations of digital certificate signers, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising: identifying a plurality of endpoint devices that have accessed files to which a digital certificate signer has attached digital certificates that assert the files are legitimate; determining, for each endpoint device, whether a security state of the endpoint device is compromised or uncompromised based on a security analysis of computing events detected on the endpoint device; classifying the digital certificate signer as potentially malicious by determining that the files were accessed more frequently by endpoint devices with compromised security states than by endpoint devices with uncompromised security states; and protecting a security state of an additional endpoint device by preventing the additional endpoint device from accessing a file with a digital certificate signed by the digital certificate signer.

2. The method of claim 1 , wherein the digital certificate signer comprises a creator of the files.

3. The method of claim 1 , wherein the digital certificate signer comprises a third party not associated with the creation of the files.

4. The method of claim 1 , wherein identifying the plurality of endpoint devices that have accessed the files comprises identifying, via an agent installed on each endpoint device within an enterprise, digital certificate signers of digital certificates attached to each file accessed by the endpoint devices within the enterprise.

5. The method of claim 1 , wherein determining whether the security state of the endpoint device is compromised or uncompromised comprises determining whether at least a predetermined number of malicious computing events occurred on the endpoint device.

6. The method of claim 1 , wherein classifying the digital certificate signer as potentially malicious comprises analyzing the security states of the endpoint devices that accessed the files, rather than analyzing security characteristics of the files.

7. The method of claim 1 , wherein preventing the additional endpoint device from accessing the file with the digital certificate signed by the digital certificate signer comprises: adding the digital certificate signer to a blacklist of digital certificate signers known to be malicious; and comparing digital certificate signers of digital certificates attached to each file the additional endpoint device attempts to access with the blacklist before allowing the additional endpoint device to access the files.

8. The method of claim 1 , further comprising: classifying an additional digital certificate signer as legitimate by determining that at least one additional file to which the additional digital certificate signer has attached an additional digital certificate was accessed more frequently by endpoint devices with uncompromised security states than by endpoint devices with compromised security states; and adding the additional digital certificate signer to a whitelist of digital certificate signers known to be legitimate.

9. A system for determining reputations of digital certificate signers, the system comprising: an identification module, stored in memory, that identifies a plurality of endpoint devices that have accessed files to which a digital certificate signer has attached digital certificates that assert the files are legitimate; a determination module, stored in memory, that determines, for each endpoint device, whether a security state of the endpoint device is compromised or uncompromised based on a security analysis of computing events detected on the endpoint device; a classification module, stored in memory, that classifies the digital certificate signer as potentially malicious by determining that the files were accessed more frequently by endpoint devices with compromised security states than by endpoint devices with uncompromised security states; a security module, stored in memory, that protects a security state of an additional endpoint device by preventing the additional endpoint device from accessing a file with a digital certificate signed by the digital certificate signer; and at least one physical processor configured to execute the identification module, the determination module, the classification module, and the security module.

10. The system of claim 9 , wherein the digital certificate signer comprises a creator of the files.

11. The system of claim 9 , wherein the digital certificate signer comprises a third party not associated with the creation of the files.

12. The system of claim 9 , wherein the identification module identifies the plurality of endpoint devices that have accessed the files by receiving, from agents installed on each endpoint device within an enterprise, digital certificate signers of digital certificates attached to each file accessed by the endpoint devices within the enterprise.

13. The system of claim 9 , wherein the determination module determines whether the security state of the endpoint device is compromised or uncompromised by determining whether at least a predetermined number of malicious computing events occurred on the endpoint device.

14. The system of claim 9 , wherein the classification module classifies the digital certificate signer as potentially malicious by analyzing the security states of the endpoint devices that accessed the files, rather than analyzing security characteristics of the files.

15. The system of claim 9 , wherein the security module prevents the additional endpoint device from accessing the file with the digital certificate signed by the digital certificate signer by: adding the digital certificate signer to a blacklist of digital certificate signers known to be malicious; and comparing digital certificate signers of digital certificates attached to each file the additional endpoint device attempts to access with the blacklist before allowing the additional endpoint device to access the files.

16. The system of claim 9 , wherein: the classification module further classifies an additional digital certificate signer as legitimate by determining that at least one additional file to which the additional digital certificate signer has attached an additional digital certificate was accessed more frequently by endpoint devices with uncompromised security states than by endpoint devices with compromised security states; and the security module further adds the additional digital certificate signer to a whitelist of digital certificate signers known to be legitimate.

17. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to: identify a plurality of endpoint devices that have accessed files to which a digital certificate signer has attached digital certificates that assert the files are legitimate; determine, for each endpoint device, whether a security state of the endpoint device is compromised or uncompromised based on a security analysis of computing events detected on the endpoint device; classify the digital certificate signer as potentially malicious by determining that the files were accessed more frequently by endpoint devices with compromised security states than by endpoint devices with uncompromised security states; and protect a security state of an additional endpoint device by preventing the additional endpoint device from accessing a file with a digital certificate signed by the digital certificate signer.

18. The computer-readable medium of claim 17 , wherein the digital certificate signer comprises a creator of the files.

19. The computer-readable medium of claim 17 , wherein the digital certificate signer comprises a third party not associated with the creation of the files.

20. The computer-readable medium of claim 17 , wherein the computer-executable instructions cause the computing device to determine whether the security state of the endpoint device is compromised or uncompromised by determining whether at least a predetermined number of malicious computing events occurred on the endpoint device.